x509: certificate signed by unknown authority

[dirk-olmes]

We use a company repository that does not have a publicly valid ssl certificate but one that's signed by our company internal CA. When I'm trying to pull an image from that repo I get the following error message:

Failed to pull image "repo.company.com/product/image:1.0.0": rpc error: code = Unknown desc = failed to pull and unpack image "repo.company.com/product/image:1.0.0": failed to resolve reference "repo.company.com/product/image:1.0.0": failed to do request: Head "https://repo.company.com/v2/product/image/manifests/1.0.0": x509: certificate signed by unknown authority

I tried to use a registries.yaml config file when starting the k3d cluster and have verified that its content ends up in the server-0 container that runs the cluster. However I'm still unable to pull the image from our internal repository. Here's the content of the registries.yaml:

mirrors:
  repo.company.com:
    endpoint: 
      - "https://repo.company.com"
configs:
  repo.company.com:
    tls:
      ca_file: "/data/company-ca.crt"
      insecure_skip_verify: true

Next I tried to upload the company-ca.crt into the running server-0 container. I put the file to /etc/ssl/certs. Applying a simple pod yaml that references the image still does not work. But I can pull the image just fine using the ctr image pull command line when I exec into the server-0 container. After manually pulling the image I can start the pod just fine since the image is already present.

What am I missing here? What would be the proper setup to have containerd pull from our company's internal repository?

This seems to be on the same page as #507

[iwilltry42]

Hi @dirk-olmes , thanks for starting this discussion!

I tried to use a registries.yaml config file when starting the k3d cluster

Can you please provide the full k3d cluster create command that you issued?

But I can pull the image just fine using the ctr image pull command line

Is that without any additional flags?

The general config is described here: https://rancher.com/docs/k3s/latest/en/installation/private-registry/#configs

[dirk-olmes]

Hi @iwilltry42 ,

the full command for starting the cluster using a registries.yaml is k3d-windows-amd64.exe cluster create mycluster --volume %CD%\cluster-data:/data@all --registry-config registries.yaml --port 30080:30080@server[0] --wait but that does not work. Only if I omit the --registry-config registries.yaml and patch the container as described above I'm able to pull containers. Pulling works without any additional flags, i.e. ctr image pull repo.company.com/product/image:1.0.0

[iwilltry42]

I guess it's similar to #705 which was discussed over in the k3s repo here: k3s-io/k3s#3830